Sicherheit: Apache 1.3.14 behebt mehrere Lücken in Modulen

Lesezeichen hinzufügen

---------------------------------------------------------------------
Red Hat, Inc. Security Advisory

Synopsis: Updated apache, php, mod_perl, and auth_ldap packages
available.
Advisory ID: RHSA-2000:088-05
Issue date: 2000-10-18
Updated on: 2000-11-27
Product: Red Hat Linux
Keywords: apache mod_rewrite format string virtual host
Cross references: N/A
---------------------------------------------------------------------

1. Topic:

Updated apache, php, mod_perl, and auth_ldap packages are now available for

Red Hat Linux 5.2, 6.0, 6.1, 6.2, and 7.

2000-11-27: Added packages for Red Hat Linux 7 for Alpha

2. Relevant releases/architectures:

Red Hat Linux 5.2 - i386, alpha, sparc
Red Hat Linux 6.0 - i386, alpha, sparc
Red Hat Linux 6.1 - i386, alpha, sparc
Red Hat Linux 6.2 - i386, alpha, sparc
Red Hat Linux 7.0 - i386, alpha

3. Problem description:

A vulnerability in the mod_rewrite module and vulnerabilities in the

virtual hosting facility in versions of Apache prior to 1.3.14 may allow

attackers to view files on the server which are meant to be inaccessible.

Format string vulnerabilities have been found in PHP versions 3 and 4.

Because upgrading to Apache 1.3.14 creates binary incompatibilities with

web server modules built against older versions of Apache, the remaining

RPMs listed here must be upgraded as well.

4. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

Users of Red Hat Linux 6.0 and 6.1 will need to manually install the

apache-manual-1.3.14-1.6.2 package by running:

rpm -Uvh [filename]

No vendor fixes are available for any vulnerabilities which may be present

in the phpfi package included with Red Hat Linux 5.2 and 6.x. Users are

urged to uninstall the package by running:

rpm -e phpfi

5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):

18881 - mod_rewrite bug allows access despite deny/allow filters
18965 - PHP remote format string vulnerabilities
19203 - New mysql packages breaks php with apache

6. RPMs required:

Red Hat Linux 5.2:

alpha:
ftp://updates.redhat.com/5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mod_perl-1.19-2.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm

sparc:
ftp://updates.redhat.com/5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mod_perl-1.19-2.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm

i386:
ftp://updates.redhat.com/5.2/i386/apache-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mod_perl-1.19-2.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm

sources:
ftp://updates.redhat.com/5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/mod_perl-1.19-2.src.rpm
ftp://updates.redhat.com/5.2/SRPMS/php-3.0.17-1.5.x.src.rpm

Red Hat Linux 6.2:

alpha:
ftp://updates.redhat.com/6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mod_perl-1.23-3.alpha.rpm

sparc:
ftp://updates.redhat.com/6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mod_perl-1.23-3.sparc.rpm

i386:
ftp://updates.redhat.com/6.2/i386/apache-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
ftp://updates.redhat.com/6.2/i386/auth_ldap-1.4.0-3.i386.rpm
ftp://updates.redhat.com/6.2/i386/mod_perl-1.23-3.i386.rpm

sources:
ftp://updates.redhat.com/6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
ftp://updates.redhat.com/6.2/SRPMS/mod_perl-1.23-3.src.rpm

Red Hat Linux 7.0:

alpha:
ftp://updates.redhat.com/7.0/alpha/apache-1.3.14-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/apache-devel-1.3.14-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/apache-manual-1.3.14-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mod_ssl-2.7.1-3.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/mod_php-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-imap-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-ldap-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-manual-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-mysql-4.0.3pl1-1.alpha.rpm
ftp://updates.redhat.com/7.0/alpha/php-pgsql-4.0.3pl1-1.alpha.rpm

i386:
ftp://updates.redhat.com/7.0/i386/apache-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-devel-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/apache-manual-1.3.14-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_ssl-2.7.1-3.i386.rpm
ftp://updates.redhat.com/7.0/i386/mod_php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-imap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-manual-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm
ftp://updates.redhat.com/7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm

sources:
ftp://updates.redhat.com/7.0/SRPMS/apache-1.3.14-3.src.rpm
ftp://updates.redhat.com/7.0/SRPMS/php-4.0.3pl1-1.src.rpm

7. Verification:

MD5 sum Package Name
--------------------------------------------------------------------------
df41190a206067dcb897cf08adc87b0d 5.2/SRPMS/apache-1.3.14-2.5.x.src.rpm
e4f9d3a172651de8bf51e82d0899a4f5 5.2/SRPMS/mod_perl-1.19-2.src.rpm
13e2403401812f5b4eec8ac8b7f866ff 5.2/SRPMS/php-3.0.17-1.5.x.src.rpm
517170fbf13f1f096e68da9d1e0cc4f4 5.2/alpha/apache-1.3.14-2.5.x.alpha.rpm
d402ae6a56609910c7940f3b836451df 5.2/alpha/apache-devel-1.3.14-2.5.x.alpha.rpm
68fd20e06f04131e1387314d102bae92 5.2/alpha/mod_perl-1.19-2.alpha.rpm
54bc62a008a60df77ce77f5e0cda873b 5.2/alpha/php-3.0.17-1.5.x.alpha.rpm
4cccb9bb1a76114670400401bf374a86 5.2/alpha/php-manual-3.0.17-1.5.x.alpha.rpm
3c2fdd01baa590739b1d5e71b6d02675 5.2/alpha/php-pgsql-3.0.17-1.5.x.alpha.rpm
36f489a538e44e7d2bc305807ed08405 5.2/i386/apache-1.3.14-2.5.x.i386.rpm
b83959d1952baa3bfc6b9ba07114c433 5.2/i386/apache-devel-1.3.14-2.5.x.i386.rpm
1aa083e13c19f0fae9bbd07fadae5ea5 5.2/i386/mod_perl-1.19-2.i386.rpm
ba0866d9cfd0abad21639ec969633c4c 5.2/i386/php-3.0.17-1.5.x.i386.rpm
807782b7bac638533b562f95eb0de247 5.2/i386/php-manual-3.0.17-1.5.x.i386.rpm
fedf34da25d898a31a24d25ade384650 5.2/i386/php-pgsql-3.0.17-1.5.x.i386.rpm
d77722cee125faf00fc0b82da5a4a90b 5.2/sparc/apache-1.3.14-2.5.x.sparc.rpm
7920d5a2fd684d7e3fa0bc1b2f0a7cfd 5.2/sparc/apache-devel-1.3.14-2.5.x.sparc.rpm
a8fc90d73b51006f641a355d864b361c 5.2/sparc/mod_perl-1.19-2.sparc.rpm
690d2cc9499437923a1ada5df70a0b33 5.2/sparc/php-3.0.17-1.5.x.sparc.rpm
405b9044b23c9f619f7ed8feec86efd0 5.2/sparc/php-manual-3.0.17-1.5.x.sparc.rpm
9d3097d4af4d526c716456ffdb731413 5.2/sparc/php-pgsql-3.0.17-1.5.x.sparc.rpm
a5effcd6e850154541b38e64b9ee5e4e 6.2/SRPMS/apache-1.3.14-2.6.2.src.rpm
48c4f91c4c40342a51ef378c5f64f864 6.2/SRPMS/auth_ldap-1.4.0-3.src.rpm
54b94ee28f0b82a73f689e1c13b0784c 6.2/SRPMS/mod_perl-1.23-3.src.rpm
d9afb78c66171faca081f2fdcbea261a 6.2/alpha/apache-1.3.14-2.6.2.alpha.rpm
45b1d2625571c3a566545cc4f1a863b0 6.2/alpha/apache-devel-1.3.14-2.6.2.alpha.rpm
16dc43f3fb474e60a43668ccc78c099e
6.2/alpha/apache-manual-1.3.14-2.6.2.alpha.rpm
733d9648c3a7a832f3bac28a18153594 6.2/alpha/auth_ldap-1.4.0-3.alpha.rpm
8c2419a3fd55318fb9a62edab5a91e9b 6.2/alpha/mod_perl-1.23-3.alpha.rpm
1f968d559a5ce71e429859c8b81ffdb5 6.2/i386/apache-1.3.14-2.6.2.i386.rpm
bb3c78ab90942ed4259fe6fe11bd4101 6.2/i386/apache-devel-1.3.14-2.6.2.i386.rpm
5c4b8793cf47175a54d2d51ac1ac1508 6.2/i386/apache-manual-1.3.14-2.6.2.i386.rpm
551b45464efc5c8f471993f8360040a5 6.2/i386/auth_ldap-1.4.0-3.i386.rpm
d4ba84c07ce740e8e185866dc5cee5dd 6.2/i386/mod_perl-1.23-3.i386.rpm
597bbaa612e5b07e248a2f9a62eab0a1 6.2/sparc/apache-1.3.14-2.6.2.sparc.rpm
7a1c02fbee1451b8fd73d8629f3c25a3 6.2/sparc/apache-devel-1.3.14-2.6.2.sparc.rpm
70bbeed9f84a6a730a907f26a90878a2
6.2/sparc/apache-manual-1.3.14-2.6.2.sparc.rpm
7deccfc223e8081306f99bb64ed087c3 6.2/sparc/auth_ldap-1.4.0-3.sparc.rpm
0476d641548a2369635aabb7c093b177 6.2/sparc/mod_perl-1.23-3.sparc.rpm
1066b83f9753a657222e8b962f9c4bde 7.0/SRPMS/apache-1.3.14-3.src.rpm
ea87dea6a65416332fe990ac81b6b201 7.0/SRPMS/php-4.0.3pl1-1.src.rpm
aec2c14482779fe75d1e50bbd90cd9f4 7.0/alpha/apache-1.3.14-3.alpha.rpm
180ae715371746e3b297ee874d81b51a 7.0/alpha/apache-devel-1.3.14-3.alpha.rpm
2d75a75dd886a8eed0e24a93e4ce5461 7.0/alpha/apache-manual-1.3.14-3.alpha.rpm
a6ab4c8fba2cf8d65a4a79d78a48127a 7.0/alpha/mod_php-4.0.3pl1-1.alpha.rpm
d13f857ee164be0e971c3246e4afb623 7.0/alpha/mod_ssl-2.7.1-3.alpha.rpm
c119952c9d98d126f4cf8b5d2c709736 7.0/alpha/php-4.0.3pl1-1.alpha.rpm
1b546a6f8526a494cc8bb49b51133539 7.0/alpha/php-imap-4.0.3pl1-1.alpha.rpm
ed0329c9827a4e454249564d452101e7 7.0/alpha/php-ldap-4.0.3pl1-1.alpha.rpm
0aa9d2933f961269a28ada491b300a72 7.0/alpha/php-manual-4.0.3pl1-1.alpha.rpm
8dc0f5b84c6df6fb57d1d9394a7b7ca6 7.0/alpha/php-mysql-4.0.3pl1-1.alpha.rpm
db28f5c7ea3217ec21452e330facaa97 7.0/alpha/php-pgsql-4.0.3pl1-1.alpha.rpm
683e6b5719b2b2b08e415be4cd0fcd77 7.0/i386/apache-1.3.14-3.i386.rpm
80707bdf583dafaf489df27a50abc34d 7.0/i386/apache-devel-1.3.14-3.i386.rpm
24aea071ebbdc20e5261c90be1920f86 7.0/i386/apache-manual-1.3.14-3.i386.rpm
01e7bc2e663ed4321f682f78ab6583b5 7.0/i386/mod_php-4.0.3pl1-1.i386.rpm
ef677d9bb9fde13420facd69bfa682a6 7.0/i386/mod_ssl-2.7.1-3.i386.rpm
4af5925b890178d02aa56fc739fdbf88 7.0/i386/php-4.0.3pl1-1.i386.rpm
29576298d7a54a98386a767dccb4f2df 7.0/i386/php-imap-4.0.3pl1-1.i386.rpm
68995fab457f0256852bd68e522c484c 7.0/i386/php-ldap-4.0.3pl1-1.i386.rpm
03a1cfe5665bae3f994fc08b62fe7e1b 7.0/i386/php-manual-4.0.3pl1-1.i386.rpm
1e63695b8f3b87ed72a04d1f94c3eced 7.0/i386/php-mysql-4.0.3pl1-1.i386.rpm
cd0c40cac3bdb68fae1ca596cd31f819 7.0/i386/php-pgsql-4.0.3pl1-1.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html

You can verify each package with the following command:
rpm --checksig <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg <filename>

8. References:

http://www.securityfocus.com/vdb/bottom.html?vid=1728
http://www.securityfocus.com/vdb/bottom.html?vid=1786

Copyright(c) 2000 Red Hat, Inc.

_______________________________________________
Redhat-watch-list mailing list
To unsubscribe, visit: https://listman.redhat.com/mailman/listinfo/redhat-watch-list